搜索了下可以像这样指定MYSQL的参数类型,
$query = sprintf("SELECT * FROM Users where UserName='%s' and Password='%s'",
mysql_real_escape_string($Username),
mysql_real_escape_string($Password));
mysql_query($query);
//-----or
$db = new mysqli("localhost", "user", "pass", "database");
$stmt = $mysqli -> prepare("SELECT priv FROM testUsers WHERE username=? AND password=?");
$stmt -> bind_param("ss", $user, $pass);
$stmt -> execute();
看到一老外像这样写,,这个,看起来怪怪的
<?php $id = mysql_real_escape_string( $_GET['id'] ); $q = "SELECT * FROM `table` WHERE `id` = $id"; ?>
表23-1 bind_param第一个参数字符描述
|
字符种类
|
代表的数据类型
|
|
I
|
integer
|
|
D
|
double
|
|
S
|
string
|
|
B
|
blob
|